0

I have a exe file, which is sending an https request to the remote server and I think, is downloading something from the site. With process hacker 2 I've got only the remote IP, but I need to see get or post parameters too. Wireshark is seeing the sent request, but all data is encrypted by SSL. It looks like that - https://prnt.sc/sft9a6 Is there any way to decrypt SSL traffic?

Improve this question
2
  • 1
    wiki.wireshark.org/TLS you can probably start from there or google.com/search?&q=wireshark+ssl What have you found and tried so far? Where are you stuck? What problems have you met?
    – Mokubai
    Commented May 13, 2020 at 7:27
  • @Mokubai I have added the environment variable for SSL certificate sniffing, but the file remains empty. So I can't really do anything with those. prnt.sc/sftpwl
    – Mike2233
    Commented May 13, 2020 at 7:33

1 Answer 1

Reset to default
2

Try running the traffic from the exe file through a TLS proxy to inspect the decrypted TLS traffic. You can use PolarProxy (our tool) or SSLsplit to generate a PCAP file with the traffic in decrypted form. Another option is to run the traffic through mitmproxy and let it export the SSL key material.

Also, setting an SSLKEYLOGFILE environment variable variable will probably not be of much help since it is only respected by a handful number of applications, primarily browsers. Most other software will simply continue doing SSL as usual, without logging any keys. This issue is particularly obvious when trying analyze network traffic from malware.

Improve this answer
3
  • Is your tool available for windows? I see only links for Linux. And for Windows only some certificate installations
    – Mike2233
    Commented May 16, 2020 at 6:17
  • @Mike2233 We have so far only released Linux builds of PolarProxy. We'd love to release a Windows build as well as, but we haven't found a decent way of redirecting outgoing traffic to the proxy in Windows. The Windows firewall doesn't allow REDIRECT actions for Outbound Rules (only ALLOW and BLOCK). This limitation defeats the purpose of running the proxy on the Windows machine.
    – netresec
    Commented May 18, 2020 at 6:39
  • @mike2233 Update: There is now a Windows build of PolarProxy. We also have macOS builds for x64 and ARM64 (M1/M2).
    – netresec
    Commented Nov 25, 2022 at 8:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .